Skip to main content

tv   Consumer Issues  CSPAN  May 11, 2018 9:06am-11:52am EDT

9:06 am
good morning. never sure about these microphones. good morning, everyone. i'm bob adler, i'm one of the commissioners at the consumer products safety commission. it's my distinct honor and pleasure to introduce this morning's keynote speaker, acting cpsc chairman, ann marie
9:07 am
buerkle. i'm going to digress for one second, because i wanted to recognize two exceptional folks. first, no surprise, steve brobeck, who has been the executive director of cfa for either 37 or 38 years, depending on when the clock started. what an exceptional career. and i have to say, yesterday when he got that standing ovation, if i could have done projectile tears, i would have. it was such a moving moment. and the other person, of course, is rachel weintraub. rachel must be one of the hardest-working people who populate the earth. [ applause ] i swear, every panel i went to yesterday, she was introducing the speaker, and she was moderating the panel. and rachel, your questions were so thoughtful, so incisive. and you brought out the best in the speakers. they were just terrific panelists, and i give you great credit for that. so turning now to ann marie, she's had a truly distinguished
9:08 am
career. starting out as a nurse in 1972, and then 20-plus years later, graduating from syracuse law school. are you ready for this? while raising six children. and believe me, she raised them. [ applause ] and i think you now have 17 grandchildren, am i correct about that? as a lawyer, she served as an assistant new york state attorney general on behalf of upstate medical university for 13 years before running for and winning a seat in the u.s. house of representatives from new york's 25th congressional district. she joined the commission in 2013, and i note in february 2017 she was voted in unanimously as acting chair of the agency by her fellow commissioners. and on july 24th last year, president trump nominated ann marie to be permanent chair and to receive a seven-year term as commissioner. ann marie has been my esteemed friend -- excuse me, esteemed colleague and good friend for the past five years.
9:09 am
and i have to say this. notwithstanding the fact that she and i almost never vote the same way when it comes to product safety issues. in fact, i think after most of the votes, we look at each other and we scratch our heads and say, how could somebody i like so much and respect so much be so damned wrong consistently? [ laughter ] and i haven't given up trying to change her mind, and she certainly hasn't given up trying to change my mind. and it's always done with great respect. but in spite of our profound disagreements on policy, i think ann marie has been a terrific addition to cpsc. as a starting point, unlike many new appointees, in particular with this administration, dare i say, ann marie recognized early on the extraordinary talent and dedication of cpsc staff. from the get-go, she has treated them with respect, has listened to them at all times, she buys completely the need for diversity at all levels of the agency, and she has worked
9:10 am
tirelessly to promote it. further -- and she's been a fairly lonely voice. and i want to amend that. i think she's been the lonely voice among folks named by the administration to high office in that she has fought vigorously for an expanded budget for cpsc. we are a really tiny agency, and i've said this time and time again. if if you look at fda, their requests for an increase in funds, not getting them, but their requests for increased fund, that's always bigger than our entire budget. we are a very tiny agency. so we owe her a huge debt of gratitude for her strong support. and i want to commend her for her insistence on running the agency with dignity and civility. at times she's had to put up with colleagues going rogue on her, probably including me. she's always refrained from responding on kind or letting our meetings look like recess at a school for dlin kwebts.
9:11 am
in fact, i think most people would agree with me on this, she is a good person who listens to any and all voices who acts with integrity and manages the agency as an honest broker. so i present acting cpsc chair, ann marie burkle. [ applause ] thank you, very, very much, bob, for that very kind introduction. as bob pointed out, while we disagree on many issues, we have found a way to have a civil and substantive discussion about these issues. and so i think that is a lesson we could really carry across washington and across the country. because no one is going to ever agree with anyone on everything. and that's just how life is. but being able to discuss it and continue to move the ball forward, in particular when you're talking about consumer safety, that kind of conversation is critical. and so i so appreciate bob, his
9:12 am
thoughtfulness, his love of the agency, his concern for the integrity of the agency, and his willingness to never -- and i mean never -- put himself first. it is not about bob adler, it's about consumer safety. and so we share that. and that's where we start from, and it has been my five years at cpsc have been a really wonderful five years because of bob adler. he has really been a true friend. and truth be known, we love our steak dinners, and i think that's what our true bond is. [ laughter ] i want to begin by thanking the consumer federation of america for this opportunity to be here. and bob smoke about rachel, but i want to take a minute to really appreciate what rachel does to advance product safety and consumer safety. she is a tireless fighter for the consumer, and for consumer safety. if there is an event, if there is a hearing, if there is a briefing, rachel is there, and
9:13 am
rachel provides such important input. and so we recognize her with bob, and i want to recognize her again. the consumer is much safer because of rachel weintraub and what she does to promote consumer safety and product safety. [ applause ] and i will say about rachel, she promotes and she works on behalf of the consumer, but she does it in a thoughtful way. she does it in a way that engages all of us. and she does it in a way that finds that common ground, and seeks to find solutions. it's one thing to just talk. a lot of people love to just talk. as bob will attest to in our agency. however, seeking solutions is the key here. and that's what rachel is always trying to do, and i so appreciate her willingness to do that, and her willingness to invite me here today. so thank you very much.
9:14 am
bob spent, which is really good, because i have about three pages. many of you don't know me, and i was going to introduce myself. i will -- and i thank bob for giving me my bio. but i did start out as a nurse. and so i've spent my life in advocacy, pretty much. in 1969 when i graduated from high school, you went to a small catholic high school, you walked into the guidance office and sist sister dolores ann who was your typing teacher, bookkeeping teacher and guidance counselor, gave you a few choices, and one of those choices was to be a teacher, a nurse, a homemaker, or you could become a nun and go into the convent and have a vocational, which is what they always pushed first and last. and i chose nursing. and i've loved nursing. in fact, be one of my -- my youngest daughter is a nurse. but it is a true profession of advocacy. and so that's where i've got my roots, and as they say, my bones. and started there being an advocate for the patient.
9:15 am
and then in 1991, i decided i wanted to go back to school. and by then i had had the six kids and syracuse university gave me a terrific opportunity, because i was as nontraditional a student as one could be. my oldest son was 15, my youngest one was 4, and she would come with me when she wasn't in daycare. and i went to law school. and i am forever grateful to syracuse university for that opportunity, because many would not have been willing to take that risk. so after law school, i worked for the attorney general. we represented a teaching hospital in new york state. any state-run hospitals, if you're familiar with the suny system, this is was a suny hospital. the new york attorney general's office let's them. we did the contracting and insurance kinds of efforts. and so that's what i did for 13 years and then decided i was going to run for congress. so i spent 13 years being an advocate at the hospital, and then went into congress. and despite all you hear about
9:16 am
members of congress and the functionality of congress, most in congress want to try to do the right thing. they are advocates for the people and the constituents who live in their districts. and that's what i did for one term, and then in 2013, i was not re-elected. and president obama, through mitch mcconnell's office, called me up and said, do you want to be a commissioner at the consumer products safety commission? and i said, i'm not quite sure what that is. but i assumed and took on the role and that's where i first met bob adler. he sent me a very kind e-mail, welcoming me to the agency. and then i've been there for the last five years. in -- with the election, my colleagues chose me to be the vice chair, the way it works there, so the vice chair becomes the acting chair. and so when the administration changed, i became the vice chair, and then the acting chair. so i am the acting chair right now. and the status of the agency
9:17 am
right now is a bit odd, i will say. and if you've watched any of our hearings or briefings, you'll notice that there's only one republican and three democrats in a republican administration, regardless of your party affiliation, that is just an odd situation. and to be chairman and the minority is also an odd situation, which is why i appreciate bob so very much. so we -- i'm waited to be confirmed by the senate. there is another person who is being -- her name is dana bianco, waiting to be confirmed by the senate. she will replace commissioner robinson. and yet then there is still a third vacancy, created by commissioner mow horoveric leaving the agency. and so there will be another appointment to that position. and then we'll be at full tilt. there will be five commissioners. this morning i want to just talk briefly about my priorities. and then i want to just get into a number of issues i think probably are are interest to you
9:18 am
and what is going on at the agency right now. my priorities, and i think it's important to realize cpsc's priorities, are guided very -- i won't say rigidly, but sort of rigidly, by a regulatory agenda, by our strategic plan and by our operating plan. so no one person can direct the agency in one direction. those are plans that we all agree on and we vote to move the agency forward. but i will encourage, as my role as acting chair, i will encourage a few priorities of my own. first of all, identifying the highest priority risks and hazards and emerging hazards. i think that's key. we have to be careful not to be looking for the shiny object, but to keep our eyes focused on what the emerging hazards are, and what are our highest priorities and our risks. and as bob mentioned, we're a small agency. we only have 550 employees. our budget ranges in the area of 125 to $130 million. and by all government accounts,
9:19 am
that's small. and i will say to you, bob mentioned it, when you are in the legislative branch or you're not involved in running an agency, your thought is, well, we need to cut spending. and i am very, you know, concerned about our national debt. however, when you are trying to run an agency, you have to have the resources to accomplish your mission. and to be able to enforce your laws. that you're required to do. and so i have been an advocate. i've worked with omb, i've worked with the white house and i've worked with congress, and will be back up there. bob and i are going to go back up in a few weeks to meet with the senate side about funding the agency at a level where we can even keep level with inflation, and then be able to do what i want to do, and that is to look out over the horizon and see these emerging technologies and these emerging hazards and be poised and able to respond to them as an agency. so appropriate levels of funding are very important to what we do. secondly, i'd like to improve our import surveillance.
9:20 am
third, strengthen collaboration, education and outreach. and four, enhance the agency's data capabilities. so i'll just briefly touch on those four issues. as we've mentioned, cpsc's mission is to protect the consumer from unreasonable risks of injury or death. associated with any consumer product in our jurisdiction. and what we need to do is ensure that our resources are dedicated again to those highest risks and priorities. and that we focus on emerging technologies. we have to be keen, and we have to be paying attention to what is going on out there. we have seen this play out with a lithium ion batteries, both in the hoverboards, as well as the phones. and so we know, while emerging technologies and new technologies can be very helpful to the consumer, they also pose risks that we need to be aware of and be paying attention to. on import surveillance, i think
9:21 am
one of the best ways we can keep the consumers safe is to keep the unsafe products out of the stream of commerce. prevent them from ever coming into this country. i serve as vice chairman of an organization called bic, b-i-c, which is the border interagency enforcement council. we work very closely to ensure that us, along with other government agencies, have a presence at the ports. we have some of our field investigators colocated at the ports with cvp, and we work very closely with them, and our risk assessment methodology to make sure we're paying attention to the products that are coming into this country so we can keep unsafe products and violative products out of the stream of commerce. because it's much easier to stop them at the ports than it is to try to get them back once they're out with the consumer. collaboration and education and outreach is i think is critical
9:22 am
to the agency's success and something very important to me. we have jurisdiction over about 15,000 types of consumer products. therefore, we cannot do it alone. not with our limited budget and with our limited staff, and the expertise of our staff. as good as they are, we need to reach out and be engaged with other stakeholders to help us advance our mission. and that's why rachel's participation and other stakeholders' participation is so key to our success, because we need that input. we need that expertise at the agency. while -- and what we do -- and you're all familiar with what we do in terms of consumer education. we have our anchor campaign, our pool safely campaign. we have a number of campaigns. right now we're in the middle of portable generators and carbon monoxide as we prepare for the hurricane season. those kinds of safety campaigns. they're key in helping the consumer even understand and appreciate the risks associated with some consumer products. i think it's a very important
9:23 am
part of what we do. but i think at the same time we also have to teach the regulated community, what do we expect of them, how are you going to comply with our laws and regulations? you must, because -- or your products aren't going to get into the stream of commerce, or once they're in the stream, we're going to have to pull them out in a recall. so what we have done, and we've been pretty active with this, and bob mentioned our staff, they have been terrific. we have a remarkable small business ombudsman who has been excellent in her webinars, in her work to try to inform and educate small business owners. and new people are trying to get into business. she -- shelby matheson is her name, and will cusey works with her. they're now developing the regulatory robot, which you have heard. they are now actively upgrading it to be the regulatory robot
9:24 am
two, which will be a good resource for small businesses. if you've got a product, how do you regulate it, if it's a toy, what does that mean? so that will be active by the end of the year, this new improved and user-friendly regulatory robot. our international team is very, very active. and also a very important component of consumer safety. no product safety agency cannot pay attention to the commerce, to the international commerce and what's going on today. i want to just talk briefly about what we've done, what our international team has done in had terms of -- and they work closely with our hazard identification team in doing these worldwide seminars to help educate the regulated community. during the past two-and-a-half years, we've trained over 2,500 industry representatives overseas on product safety requirements. last year i spoke at one for
9:25 am
bicycle manufacturers in taiwan and saw firsthand these seminars are so popular, because it's so much easier to execute and to comply with our laws and our regulations, if you know what they are, and you understand them. last year in china, we held our first-ever training day for test labs, attended by well over 200 conformity test assessment professionals. speaking of buyers' training, the international team conducted three this past march. one in shanghai, be one in guan joe and one in ho chi minh city. and so they're very active in talking about and educating the stakeholders in the regulated community. last week we had health canada and profeco in, and we talked about keeping all of north america safe. we do many bilateral and trilateral recalls with our two partner countries, and understanding how -- what we have to deal with, and what
9:26 am
they're dealing with, and so we had two full days. one was a closed meeting on the government side with just the government staff, and then the next day was open with public panels and forums to talk about the issues and how we can work better. how can we work more efficiently to keep the consumer safe in all of north america? so that was last week. and next month we will be hosting the eu and china for another trilateral summit. we look forward to that, as well. again, those kinds of conversations are key to keeping the consumer safe. and then lastly, one of my priorities is data. we need to be able to expand our sources of data and our capabilities of analyzing that data. it's one thing to get in a lot of data. but if we don't have the resources and the staff and the technology to assess that data to understand where the risks and the hazards are, it's for naught.
9:27 am
so we need to improve on both of those fronts. and we need to be constantly looking around and being aware of new sources of data that will enhance our capability to assess risks and hazards out there. one of the -- we recently had our priorities hearing, and i think when we are looking at sources of data, it's important to talk about safer products.gov. throughout the course of our priorities hearing it was raised. rachel was one of the people who raised but others, as well. oursaferproducts.gov is old. it needs to be enhanced. it needs to be modernized and needs to be made more user-friendly. so we will be working to do that in the weeks and months ahead to see what we can do and put that in the operating plan so we can make that source of data even for effective and more user-friendly. and then we need to raise awareness to the consumer that that's a good portal for you to share your experience and your
9:28 am
information with us. and so stay tuned. there will be improvements and work being done on in consideration of saferproducts.gov. just a couple of other issues that the agency is focused on, and paying attention to. just to bring you up to speed on the agency. the first thing are the voluntary standards. the voluntary standards are critical to safety development. and it's really a very significant part of what we do at cpsc. our staff is engaged in well over 70 voluntary standards committees. and so we are actively involved. a few years back we gave our staff the ability to vote and to take leadership positions on these voluntary standards committee, because we believe in and we have been directed by congress that when the voluntary standard will adequately address
9:29 am
the hazard and when it will be complied with, with the regulated community, that's their preference for us. so voluntary standards are an important part of what we do, and we are actively involved in it. and i again want to thank rachel and the consumer federation of america for her active involvement. rachel -- i don't know how you do it. every issue that is brought up, bob mentioned it, and i'll mention it. rachel is there. and she's well-informed, and she's sharing an important message. and so thank you. voluntary standards is a very important part of what we do. the next issue, and you may have heard on recall effectiveness -- recall effectiveness is a challenge to the agency. on a nun of levels and for a number of reasons. it's a very thought-provoking issue, and it may be an art rather than a science, trying to understand how we can get the consumer to listen and to even then react to a recall.
9:30 am
it's -- it is a challenge for all of us. because if it's been identified that there is a substantial product hazard, there is a defect, that product needs to be recalled. or if a company chooses to do a fast track recall, we need to get the consumer's attention. and so last september we had a workshop, recall effectiveness workshop. and as a result of that, and you can look on our website, but staff compiled a list of the ideas and the discussion that were had about recall effectiveness. and it seems like we've gone silent on this issue. but i want to say, we have not. staff has continued to work on this issue and trying to determine what the best way forward is. i think the one thing we have identified in all of the work that's gone into recall effectiveness is if we can get to the consumer directly, if we can have direct access to the consumer, that's how we're going to let them know about this
9:31 am
recall. and what their options are and their remedies to be able to return that product. and where to return it and why to return it. and so we're working -- and staff is working extremely hard. and you will see more in the very near future about what staff is doing for recall effectiveness. emerging technologies and iot. i mentioned that previously, and yesterday i know you had a panel on iot and emerging technologies. as i mentioned, these products and these smart products really can enhance the consumers' life. but we also have to be realistic, because when there is that enhancement, there is new technology, and with new technology, there can be issues. now, we are not -- i won't say we're not concerned -- but the privacy and the security issues, we see that as not our jurisdiction. that's ftc. we're very comfortable with that. but what we do believe is when there is a breach of any sort, or when there is a malfunction in that software, that can
9:32 am
affect the product safety. that can affect the safety of whatever the product is. and so that is of concern to us, and that would be of concern to us. so next week i've asked staff to have a hearing on iot. we have a hearing next wednesday, the 16th, and so far we have at least 15 presenters coming in. so there's been a good response to it across the -- the horizon, all kinds of people coming in to testify about iot, which is what we need. we need to be informed on the issue. where do we need to be looking? what are the possible safety issues that we could encounter. and, again, i'm delighted that rachel will be there to share her ideas and her thoughts. beyond the iot and smart products, there's 3-d printing, there is big data and e-commerce. those are all issues as commerce changes and the way companies do business and the way the
9:33 am
consumer buys their product changes, we need to be paying attention and involved in those discussions. and next week -- or excuse me, next month in june, amazon is hosting, and we'll have the opportunity to talk to them about e-commerce, which i think will be key to how we address some of these issues. i've got a sign over there that i have a few minutes left. so let me scoot here to the end. i just want to mention furniture tipovers. that is another issue of high priority in our agency. and i just want to say that under my leadership, the agency will be pursuing vigorously, there's rule-making, there's voluntary standards, there's educational campaigns. the anchor it campaign is a multifaceted approach to a very difficult problem, one that, as you know very well, can kill young children. and so we need to figure out a
9:34 am
way to make dressers safe for children. and so i just want to say, we are aggressively working on that issue at the agency. window coverings is another issue, i think. thanks to rachel and all of the efforts done, a giant step forward was made with window coverings, and the safety of window coverings in the voluntary standards arena. that there will be no stock products with cords available in stores. that is a huge leap forward. and really thanks to the people who participated in the voluntary standards, just in terms of safety for young children, it's so critical and such a success story. there's more to be done, because now we have to deal with the custom products. but there's no reason not to move forward on the stock products and then deal with the custom products. but that was -- i think and to
9:35 am
the voluntary standards committee, i think they deserve great credit, including rachel, for the success in moving that safety issue forward. or begano halogens. i think that convening a chap on halogens, i think that is a good idea. i just disagreed with the order of things with my colleagues. i thought we should convene and find out about organizo halogens and do it by chemical by chemical. that is in process and that is being done as we speak. we are working with the national academy of science to move the ball forward, as was directed by the commission. before i close here this morning, as i'm going to get a hook pretty soon, i want to introduce to all of you my new communications director, aaron joyce, who is here up in the front. aaron just joined us this past monday.
9:36 am
and i asked her to come here this morning to meet rachel and to meet consumer federation of america, because it's very important that we work together and that we share the same message and safety message to the consumer. so erin, i'm glad to welcome you aboard to cpsc. i also want to say to all of you, as i say every time i speak, myself and the agency and all of our staff and the commissioners work for all of you, the american people. and my door is always open. if there is anything that i can ever be of assistance of or to or you have an issue or a concern about the agency, i hope you will feel free to reach out to my office and to contact me so that we can have that important discussion. and i will just say, the door is always open. in closing, i want to say that cpsc's mission is a critical one. it is critical. maybe one of the most important of a government agency to keep the consumer safe from
9:37 am
unreasonable risks of injury and harm. nothing is more important than the safety of our children and our families. i do not take the responsibility lightly. as the acting chairman of the agency. and i would ask all of you to join me in helping to promote consumer safety, because i know if we're working together, rather than in our own little silos, we can be more effective. we can move that ball of safety even quicker and closer to keeping that consumer safe at all costs. again, my door is always open, and i hope you'll reach out to me if i can ever be of service. and, again, thank you to the consumer federation of america. this is a tremendous opportunity for me to be able to be here this morning to meet all of you, and i thank rachel and i thank cfa for all of your efforts to keep the consumer safe. thank you so much. [ applause ] unfortunately, we don't have time for questions.
9:38 am
the program is so tight. first we want to thank ann marie and now we are going to hear from a panel about the digital electrical grid and consumers.
9:39 am
[ indistinguishable conversation ]
9:40 am
[ indistinguishable conversation ] [ indistinguishable conversation ]
9:41 am
[ indistinguishable conversation ] good morning, everyone. my name is deal i can't patterson, senior vice president and general counsel at the american public power association. i'll be moderating this panel today on digitizing the power grid. i see three major trends driving the power utility landscape
9:42 am
today. one is the centralization, the move away from centralized large-scale generation. the second is electrification, a move towards electric vehicles. and the third is digitization, which is the move towards an intelligent grid and the opening up of data it creates. today you can't discuss designing the future of the power grid without addressing the vast resolution that digitization will present to us. like with most things, there are advantages and disadvantages to digitizing the grid. this morning we have four panelists who are going to each share their views on this topic of digitizing the power grid and how this impacts consumers. first up, we have jim spears, who is senior vice president of business and technology strategies at the national rural
9:43 am
electric cooperative association. jim leads the department that compromises all technical, engineering and economic support, research and technology transfer. then we've got mark cooper, director of research at the consumer federation of america. mark is responsible for energy, telecommunications and economic policy analysis. then we have john howit, senior energy analyst at the national consumer law center. john has been involved with energy programs and policy issues since 1981. he manages program products related to low-income, energy affordability and efficiency programs, consumer protection, rate design and utility grid technology. and last but not least, we have lawrence daniels, who is director of litigation for the d.c. office of people's counsel. lawrence has an extensive
9:44 am
background in the electric and telecommunications industry. since january 2000, lawrence has worked for the office as a regulatory attorney, advocating on behalf of consumers' interests and a number of electric cases and telecommunications cases. with that i will turn it over to jim to get us started and we'll have time at the end for questions. >> thank you, delia. and thank you all. it's a pleasure to join you, and really the group of mark, john and lauren. a real alliance in this industry. i've had the great opportunity to join nreca, we represent america's electric cooperatives. i'm going to give you a few statistics about what it all amounts to. and as we see it, some of the challenges and opportunities. but before i do that, i don't know is steve brobeck still in the room? i saw steve earlier. did you know steve is retiring after 38 years as a great champion of consumer -- consumer
9:45 am
protection. and as we all are consumers, you know, i take consumer protection pretty seriously. we also have one of our colleagues, martin lowry. i think many of you nomar tin, executive vice president, a long-standing champion of consumer federation of america, who is retiring also after just about 38 years. his last day in the office is today. so this is a very bittersweet day for me. i came to nraca to work with martin and to establish this thing we call business and technology strategies that really is about how the cooperatives and the members of consumer cooperatives can participate in this new digitized environment, as delia said, the three key pillars we're talking about. and as i talk about cooperatives, think about small municipals. delia has been faced many of the same challenges and threats and opportunities we do. i wanted to give you just a minute -- how many of you belong to a cooperative?
9:46 am
rei come to mind? credit union come to mind, food cooperative come to mind? so you know the cooperative movement. there are two distinct kinds of cooperative. the rochedale movement. at the same time, the idea of consumer cooperatives came together, and we as distribution cooperatives for electricity are really consumer cooperatives. rei, obviously, a consumer cooperative. don't you love rei? i walk in and you see that, c-o-o-p. they're now aggressively labelling as a co-ops, which means they're putting the consumer first. which is really an important concept. and one that we all as -- who worked for cooperatives and certainly for america's electric cooperatives, that's why we work with them. we work anywhere in the industry, anywhere in the world. i've had clients worldwide. i've been very fortunate. but doing this for cooperatives that are putting the consumer
9:47 am
first is really important. a couple of factoids about america's electric cooperatives. 42 million consumers. 42 million consumers. we can mobilize consumers, the grass roots world, very aggressively. a couple of weeks ago here in washington, d.c., we brought our grass tops group. the leaders of america's electric cooperatives, about close to 80,000 strong, that we didn't bring all 80,000, but 2,000 had come to capitol hill and advanced the consumer needs of rural america and do that on capitol hill very aggressively. so those are the things that trade associations normally do. this whole business in technology thing is kind of a new kid on the block. we have really been deeply at it for about four years. and i'll talk about a couple of those themes in just a second. you think about those 42 million consumers, about 60% of the land mass of the united states. but you have in rural america, you know, some places one or two consumers per mile of line.
9:48 am
average of seven. investor-owned utilities, average of 30 to 35. municipal utilities, potentially even 40 consumers per mile line. so rural america already starts with a bit of a handicap. consumers in rural america, by definition, are going to have higher prices. so we understand that. and we work with it. but the thing about rural america, think also about we comprise about 42% of the distribution infrastructure. same amount of infrastructure as investor-owned utilities. and so the challenges in rural america, to get the consumer welfare and consumer protection and high-quality affordable electricity is a continuing challenge. again, many of delia's members face that same series of challenges. a couple of other things. manufactured housing. about 5.5, 6% of housing stock in the united states is manufactured housing. in cooperative territory, it's more than double that. it's 14%.
9:49 am
so right there, we have that challenge. if you think about the health care epidemic in rural america, the opioid issues, there are a lot of challenges facing rural america, and i guess the question i would pose to you -- i bet most of us are consumers here in urban areas. how many of you would say you live in a rural area? there's a couple. most of us are urbanized. why should we care about rural america? it's really simple. national security. urban america consumers are dependent on rural american consumer producers for water, food and energy. think about that. every day you're dependent on rural meshlg america. so it ought to matter. so i think the cooperative movement and consumer welfare and putting consumers first is really the centerpiece of what we try and do. let's talk a little bit about this digitization, and what this new landscape is that delia laid
9:50 am
out for us. what are some of the threats? well, data. data security and data quality is a huge issue. we have -- are . a few of you, all of your data is going to google, you probably signed up someplace and did not realize that you are giving up your data but we as cooperatives take that data security seriously, we put security and privacy first, after system operations, it's your data. not the cooperative's data. we want to figure out how to help you harvest the data for
9:51 am
the digitized world, when you think about data and the opportunities there, also think about equal access for all. low and moderate income, how are we going to be sure that the lower and moderate income consumers are not left behind in the digit future, we have a major initiative on access for all. there is a graduate way to use the data to empower consumers to make an informed decision, how many of you love pre- paid metering programs, if you are a consumer advocate, they do not like them but if they are done correctly, i am not implying that the utilities have is done it correctly, but if done correctly, ergiving knowledge
9:52 am
and people are going to save production, data are critical to the quality of life and economic prosperity, how do we empower consumers to be able to use that, we used to have one data point a month collected out of the meter, now we are collects data every 15 seconds, think about the volume of data. we are in big data now, what do we do with that, how do we use it for consumer protection and also consumer value and consumer welfare, those are some of the charges, we talked about lower and moderate income and the housing stock in rural america, also how many of you have high speed broadband? half of rural america does not, 34 million consumers are underserved or nonserved on
9:53 am
high speed communication, if we do not figure out how to do that, those consumers are left behind, in this day and age, you cannot function without high speed communication, think about going to the spot where you cannot communicate. if you are on vacation, that's a pretty good deal but for quality of life and economic prosperity, that's not a good deal, high speed communications is in the eye of the beholder, we think there are opportunities but there is significant challenges, we working a lot with the administration and with congress to think about how and what is the appropriate role of federal support for expanding high speed communication so no one in rural america gets left behind. one other quick fact on the
9:54 am
reality that rural america faces, persistent poverty. 88% of the poverty counties in america are served by cooperatives, a majority do not have high speed communication or broadband. as we think about taking on the healthcare epidemic so consumers have quality of life opportunities across america, we have to do infrastructure development. we work on that with the trade association, we have real challenges but there is phenomenal opportunities for all of us and banding together to put the consumer first which is what cooperatives are about and bringing the opportunities to the table helps us mitigate the resks for the future, how many of you have gone through a serious torm storm where you have had your power out for a
9:55 am
few days, there is a new concept called reliability. now it's resiliency, the ability to return more quickly , the platform we talked about is called the micro grid, you build a small system, you build it so it can stand alone and recouple with systems faster, small utilities were the first micro group, we gave it can to rural america a little bit at a time. now we are back to the micro grid and what it means for more electric and better environmental improvement, the electrication we were talking
9:56 am
about. i will turn it over to my fellow panelists thank you good morning, i am lawrence daniels, the director of the office of the people's counsel, we are the advocates for utility consumers in the district of columbia, i have had the good fortune of being with the office for almost 20 years, started in 2000, i have been able too see how the energy industry in particular has evolved, dramatically, 20 years is really just a bling of an eye when you think about how long the electric industry has been around but in these short 20 yearses we have seen a lot of change, i have watched this
9:57 am
change, there are four principles for consumer advocacy that the office of the people's counsel is focused on as we face gid modernization, the dc public service commission, the regulator of the home utilities has a proceeding for grid modernization, we have submitted a substantial amount of comments and attended conferences to address the issues going on with grid modernization, i wanted to touch on four principles for consumer advocacy, there are many more, but i will touch on these four to start off the discussion that i believe must be in place, first, the long standing consumer protection imperatives must be followed with modernization, quality service, reasonable rates is the foundation of consumer protection as it concerns
9:58 am
utility service but as technology ushers in modernization, all of the principles have evolved with the foundation, one that is important to us is equal access to the benefits of this new technology. technology should not usher in energy deserts or energy inequality. we have to make sure that everybody can benefit from the technology, although they may not be able to afford a solar system on their homes, commuter solar offers solar arrays to the people who cannot afford solar technology. also affordability. that has always been a foundational principle for consumer protection but it's going to be more so going forward, because as new technology is coming along, we have to pay for them.
9:59 am
nothing is free, we have to make sure that those that can participate in the technology is not subsidizing those that cannot. we also talk about protecting our data. that's going to be critically important as we go forward. we have to have a regulatory focus on making sure that cyber security is maintained. also control of the system must be made clear, utilities have been the gate keepers on what happens on the next work but with the trucks of distribution energy resources, that can be generated by the resident or vendors, they want to connect to the network, we have to make sure that the utilities are not
10:00 am
serving as choke points to prevent or block progress. we are starting to see where regulators are coming up with policies that can introduce these technologies to the network without disrupting reliability, first and foremost but also so week have benefit of the new technologies, like electric vehicles and battery storage, third, a clear set of rules to govern access to system information must be established early. big data is an issue that we are all going to grapple with in this industry and several industries, i grew up in the telecom and then energy industries, energy is beginning to understand and in some
10:01 am
instances bump it's head dealing with big data. in the energy industry, when i started in 2000, throofs only one data point, -- there was one data point, the bill you got. now we are collecting data on a second by second basis, this tells a story about how you use your energy, that information has to be protected. is critical, not only to the integrity of the network and the confidence that consumers have in using the network, if they do not feel confidence that their data is going to be protected. they are not going to engage in the modernization, that could lead to short false in meeting -- short falls in meeting other goals that they have been relying on for consumers to
10:02 am
engage, lastly, mechanisms to measure the effectiveness must being be in place to guide future policy decisions, you cannot manage what you do not measure, benchmarks have been to be established early to see whether or not we are being successful as we march forward with this modernization, it's especially important when you are dealing with the energy industry because the making electric of america was the technology that allowed this country to be as great as it is right now, if we do not make sure that grid modernization is done in a responsible and ethical way, we have to see if we are meeting our goals and if knot how do we adjust. that's something this industry has not had to do in a while, adjust, benchmark are going to be critical in understanding where we are going.
10:03 am
some people want a lot of options with pricing and in home technology, others do not but how do we develop policies too make sure that everyone's needs are being met and also make sure that the network is running safely and relyiably. thank you. thank you good morning, steve brobeck, thank you for the invitation to be here and congratulations to you on an amazing career, efa is such a great partner of the national consumer law centers and we
10:04 am
wish you all of the best, i am the national consumer law center, we are a low income law and policy advocacy group based here in washington and in boston. i would like to give a special hello to moi colleague, olivia weun who is -- wine is here and to the person who ran nclc for many years, and grew an organization that is unique, been at national consumer law center for 19 years, will regrets every minute of it. okay. >> i would like to talk about
10:05 am
grid modernization as it relates, particularly, to lower income consumers, data privacy issues that we have heard about are extraordinarily important, i am going to side step those a bit because some of the general consumer advocates here have got that under control in their focus on a couple of specific low income issues, i started assumption, in my work on technology issues, that clean energy is an imperative. there is no trade off between clean and affordable any more, they are both imperatives, equity is important but climate change is real and low income individuals and families are the first to be effected by the
10:06 am
recommend -- ramifications of climate change, one of the opportunities we face in this technological and economic revolution is to reduce carbon intensity of the grid. as jim talked about, we have access to two way information flows, we need to modern size the grid in order to accommodate two way power flows as well. if we want renewable energy that is available during certain periods of the day or night and does not run like a regular generation plant, we need a modernized grid to generate that. the imperative for decarbonization turns the need for grid modernization into more of an opportunity. i would say that one of the
10:07 am
aspects of low income energy advocacy that has changed a little bit over the last five to 10 years is the extent to which there has been effective collaboration between consumer and clean energy advocates. this is another opportunity. but some of my green energy friends are helping to push affordability programs at the state level, we as low income advocates are strong energy efficiency propnetnt and we are finding common ground. i put the opportunity to collaborate in the plus column in terms of opportunities and challenges. well, in terms of concerns, i think that with a lot of the
10:08 am
investments in the new and modernized grid, there are upfront costs and anticipation of benefits, economic benefits sh that are often somewhat speculative and certainly at best, somewhat removed from the present, there is kind of a timing gap here and this is a concern for folks who are looking at cash flow challenges everyday. how are we going to allocate these first costs. that's a major challenge. we have unequal home energy burdens. we understand that. if the energy burden is a function of a household's income and their energy expenditures, for lower income
10:09 am
house holds, that burden is, just by arithmetic, higher, that's a challenge that we face with these upfront first costs. household cash flow is paramount, some of the up front costs associated with grid modernization create particular problems for our clients. a report sent around a little while ago demonstrated that payday loans, the number one reason that people take out these sometimes devastating loans is to pay utility bills, so cash flow. i do not know how well you see this but there was a 2015 survey of all residential consumers in the united states and the results showed that among house holds below $20,000
10:10 am
in income, 40%, at some point during the previous year, had given up a basic necessity to pay an energy bill, a basic necessity like food or medicine. we have cash flow issues that are critical and we need to deal with them. advanced metering, when a lot of people think about smart grid, smart meters are the first thing that they think about. so i wanted to say a few things about advanced metering, concerns for low income fall into three categories, there are the cost of the systems, they are not cheap, there is remote disconnection that can occur with the meters that did not occur with the analog then there are potential penalties from the time varying rates
10:11 am
that the smart meters enable. we would like to deal with these one by one quickly, system costs, the first problem. we have a tool kit full of effective low income energy assistance programs, bill payment assistance and energy efficiency. as we deploy these new technologies, not only smart meters but other digit technologies, the importance of these programs really increases, in terms of remote disconnection, we have also a tool kit full of regulatory consumer protections, these consumer protections need to outpace the enhancement of the consumer protections needs to outpace the deployment of the new technologies. we have great models to work with.
10:12 am
with respect to pre- paid service, i have to say that for low income house holds, this is problematic. pre- paid is concentrated among low income house holds wherever it's offered, in the united states and abroad. the disconnections from pre- paid far outface that of post paying customers, in terms of providing the informational benefits through pre- pay, i say give it to everybody, not just folks at risk of nonpayment but everyone should have access to real time information. in terms of the penalties, we can hold harmless those that move to a time varying rate if their incomes qualify for bill
10:13 am
payment assistance, lets have hold harmless provisions so that any penalties that are incurred through fee price and time varying rates, these folks are held harmless through rebates, you can opt into the programs in the beginning, that's a protection, you can will have have shadow billing, providing consumers with what they would have paid under the varying rate options that may have been available. we need a planning and regulatory process that takes into account both clean energy objectives and equity and affordability objectives but none of these are impossible, they are not rocket science, is a matter of politics, some of it kofs money and that has to be dealt with but its not
10:14 am
impossible to move forward towards clean energy in an equitable and just way, i will leave it at that and i hope i did not go over too much good morning. i always look at these opportunities to speak as an opportunity to give a call to arms. it's not something i get much time to do, but my call to arms today is simple, the technological revolution has already occurred. it's time for consumer advocates to get on the right side of history, embrace the revolution and defend the interests of consumers going forward into a progressive future. you cannot go back, you can be left behind or improve the
10:15 am
state of your constituents. now my approach is different from most people. i always do a big slide. hopefully i have a simple point and my objective is to convince you to read 500 pages in the back of it, i call it an analytics on conservative rate structures, i will get around to grid monitoring, is the sixth slide. this slide shows the last 50 years of electric generation, we have had a revolution, the alternative with wind and solar have become the least cost options and the social cost of carbon is irrelevant. it does not matter any more.
10:16 am
the least cost resources are alternative lower carbon resources, using the cost of carbon will determine, not the direction but the speed at which we go, the administration is spending an immense amount of time trying to get rid of the cost of carbon but in every meeting, the consumer costs of renewables justify them without a cost of carbon, they are fighting the last war, i am fighting the next war. there you go. that happens sometimes, technology. so what this slide is supposed to show you is that there are a certain range of countries here and states at the top that have driven the penetration of alternatives to high levels, if this slide did not have all of the issues, it would show you that almost all of america with
10:17 am
the exception of half a dozen states is already behind all of europe. so we are falling behind. we ought to be concerned about this. why are we falling behind? because the digitization of the electric system is another iteration of the digital revolution, we had a digit ref leurks does anybody in this room not have a cell -- revolution. does anybody in this room not have a cell phone, nobody in this room raised their hands, the digital revolution has occurred. everything that you do is more efficient because of that ref leurks in america, people spend 20 hours a week on the internet, 20 hours a week,
10:18 am
that's a lot of time. in the mid 1980s, we would ask, where would the time come from, people said, the internet would eat the television, turns out they are watching as much television as they used to. unfortunately, but that's what they do. so where did the 20 hours come from. from the unfortunate work of daily life. they eliminated all of the things that you used to do to get things done, you do not waste as much time getting things done, that's what is happening in the electric world. it's enabling us to use resources, distributed resources much more efficiently to balance supply and demand,
10:19 am
every characteristic of the digital revolution is expressing itself in the electric system and in the way we shop for groceries, amazon is disturbing the world, they are going to deliver groceries, people have tried to deliver groceries but they did not understand how the world works but the guy at amazon does. so i am going to show you a couple of headlines, this is the diagram where solar takes a big wedge, that picture is not california or arizona, that's new england. that's not a very sunny place if you have lived there and i lived there a while, digging out from the snow, that was a day in april in new england.
10:20 am
it's only begun, look, there are in fact significant inefficiencies in this system. we would be better off saving solar and moving it to fill in the top and the back, that's going to happen. is already happening. solar plus batteries is the least cost way in arizona, a fascinating second headline, california yesterday said every new house is going to be solar, they said all of those panels on roofs, very expensive. if you look at the order, they said that the builder has to build either a roof top or a community solar. so almost all houses are built
10:21 am
in tracts and developments, very few special eyed houses and those people can afford to have crap on their roofs, so every builder is going to do one of two things, build a community solar which is a low cost resources and manageable, and everyone is going to have a battery for back up or he is going to make a deal with the utility and every house will have solar, the benefit and cost ratio of solar is two to one, i think he was talking about roof top. community scale is four or five to one, this is a done deal. the rest of the world is going to get this. we should also. but lets be clear, technological revolutions which
10:22 am
have already occurred are very disruptive things, the technological revolution is over but we still have to have a socio institutional revolution, we need to build an infrastructure to support that system. this is a contrast between the 20th century, a simple, dumb system, build capacity to follow load wherever it went. the future is managed load and supply, put them together, use all of that information, is very important. we have to build that institution, that's where the struggle begins, this is the sixth slide. good modernization, we are at what is called a turning point or a krul -- critical juncture. we are deciding where we are
10:23 am
going to go, there is always a huge battle in this moment when people say, my gosh, there is the future, i see it, a lot of people say, it scares me, the people that scream the loudest are the webers, the luddites and the party of trump which may or may not be the republican party. the coal miners, they did not do very well in the past, the 20th century was not very kind to coal miners, now they are looking at a future where there are no coal miners, that's looking more scary than the bad existence that they had. so at this critical junction,
10:24 am
you can take a nation like america, tell it to turn back and then you will watch the world pass you by, that is what happened to the british, they were the leader in the industrial revolution, they did not know what to do and they got passed by, in order to encourage you not to, as consumer advocates, we need to have principles for progressive policy. rate making you have heard about. in every suggestion you hear, i believe you can justify in regular analytic terms, i have given you the economics, here are some principles about energy justice, availability, affordability, intergenerational equity and so fourth, articulate them and explain to policy makers how
10:25 am
they will be achieve indeed real world policy. here's my favorite graph, an economics graph that nobody understands but that is okay, there are two problems, one on the supply side. the current rate structures are little within efficiencies and monopolies, we have to get rid of those. then we have the demand sued. the value of electric to a low income house hold is higher than the value of electric to an upper income house hold. keeping the lights and the friday -- refrigerator on is more important that heating the pool, so in terms of keeping lower income people on the grid and enabling them to have
10:26 am
electric, even if you have to underprice them against your correct costs, it increases social welfare because the value of a kilowatt to a lower income house hold is greater than the value of a kilowatt to a middle and upper income house hold. i will not say i have resolved the efficiency he can wait trade off but these are economics, the fact of the matter is that if we restructure as we do on the right side, the gain in consumers surplus on the left side is lower than the loss, to total social surplus is higher, i am perfectly happy to be cross comaminned on that but i am trying to retire, at the end of the day, we are at a turning
10:27 am
point. it's a krul moment. there are folks on -- critical moment. there are folks on this list that do not want to see the future, they do not think they were well treated in the past. but breaking their machines not get them any where. the coal miners were not treated well in the past but they told their kids they could get their jobs of the they did not tell their kids that education and training is the key to breaking the cycle of poverty. now is the moment for us to support this stuff, we going to have plenty of chances especially with an administration that wants to go in the wrong direction, they
10:28 am
need to hear from everyone in this room, do not bling -- blink on electric and energy. thank you we have some time for a couple of questions of our panelists. i will throw it out to the audience to see if there are any questions, if not i have a couple of questions of my own. any questions? okay. we do have a question. >> i have been engaged on these issues in illinois for a number of years, we have a grid modernization program going on in illinois and unfortunately it's dominated by the engineers, i am curious about what advice you have for
10:29 am
consumer advocates who are not steeped in the details, how to engage in the processes to insure that consumer protections are observed in the process. >> i want to answer that by pointing to climate change, i encourage you to read it. the pope was a jesuit and was a chemist and he believes in science, he said, i believe in science but science that is not in sefs of social values is -- service of social values is useless and harmful. so the answer is, engineers can give you answers to questions, but they are the wrong questions, the question for the engineer is how to maximize social value. if they do not recognize, as i
10:30 am
said, that lower income people have a bigger claim to a smaller number of kilowatt hours, they should leave the room. the question is it, how do you serve john's people in the best way. the digit revolution is about innovation at the edge, it's all kinds of crazy people doing all kinds of crazy thing, the answer is that their science needs to serve society. they do not think about that. >> someone add to that. the cooperatives typically do not invest in local utilities but local boards like the muse approximately utility board is
10:31 am
there to represent the consumer and consumer welfare. the best advocacy that you can bring to the table when you have all of these data pieces and all of this stuff in front of you, bring consumers in to talk about what they need. economic prosperity, improving the environment, these issues at the end of the day will start to dampen what we always had in the regulatory world, you can get buried with data. get out of the data world and hear the incredible stories about this new paradigm, regulators will listen to people. the average regulator is there less than four and a half years, they do not know what is going on. they do not have deep backgrounds in this space its
10:32 am
not a criticism it's a real, so bring people to the table and you will make a difference. >> that was a great question, the challenge at the state regulatory level, it seems, is for advocates to get together before these proceedings are well underway and to insist on a planning process that incorporates the objectives and values that we think are important. a lot of the utility regulators now, they are not used to looking at what they call noneconomic values. you know, mark cently points out the economics associated within equity but the utility regulators for the most part are just not used to looking at these sorts of values, i think that if we have a planning
10:33 am
process that is applicable to any sort of new proposition that comes forward with respect to grid modernization, rate design or the regulatory paradigms, all of the big questions that we face and the state utility regulators and the co-os and munis are facing, if we have a process that looks at what would be the ramifications for energy burden, what would be the impact on secure access to service, take some of these very basic metrics and incorporate them into the planning process and the evaluation process, then i think that we have a chance and the engineers are going to have to take a deep breath and relax for a few minutes. >> briefly, i would say, the public interest is a balance of
10:34 am
a lot of different factors, you have the technical aspects of it. economic aspects are there and environmental but really whether or not this is going to work is whether or not consumers are going to use it and how they are going to engage, their interests are, i say, as a consumer advocate, are the priority. their interests are going to be the drivers, you just have to make sure that consumers voices are heard, i agree, you have to bring real life, anecdotal stories to the regulators, they are people too. >> we have time for one more question. >> i am with the howard county office the consumer prosection, in -- protection, in the old days, there was the utility.
10:35 am
now we have a bifurcated system of electric generation and then controlling the distribution, then you have the utility that has some power over the sellers of the generation, what is the regulatory structure going forward? what should that look like in it seems like we are trying to fit a square peg into a round hole but i am not sure how we go about changing it. >> the interesting thing to me is that the role of the utility spt regulator in the 21st century are in some respects much larger and more important than they were in the 20th century, the 20th century, they poured concrete and boiled water. it was a simple process, it was easy to figure out how much to pay because you did the rate of return onpouring concrete and
10:36 am
boiling water. in the future, they have to manage a complex grid. it's a lot harder and cheaper because is it does not require all of that capital. it requires intellectual property and intellectual management. that's the big challenge, we have to find a way. consumer advocates always like to know the rate of return, now we have to figure out how to pay these guys for managing a very complex grid. that's going to be a lot harder but the total cost is going to be a lot less, if that's the future, then the regulator is going to have to be less of an accountant and more of a manager. it's going to have to be a referee between, in understanding, making sure that
10:37 am
consumers get the value that they want, giving the end edges as much power as they possibly can, that's a bill deeg in the digital revolution, but also its a light handed question of letting the folks managing it stay innovative. we are having this great debate about net neutrality, that's what the debate is going to look like over grid management. is an ugly debate but its an important debate and its one we can win, i believe. it's a different kind of role. i think that mcallister is in that mode. he is an economist. they need to be political economists. add apple smith was a political
10:38 am
economist. karl marx was a political economist. they studied how to make the world better. he has to be flexible and sensitive and he has to have a process that gives consumers their voice, gives utilities their voice, then you have this third set of generators who are in most estates, still inside. in some states they are outside but a generator without a market is out the business, so the generator has to figure out how to live within the confines the managing the system. >> i always find it aggravated when i have to agree with everything that mark says but all of that aside, even though we are not rate regulated, our board is set as the rate regulator nor managing and
10:39 am
regulating this new thing, it's a daunting challenge. cooperatives are being seen as being leading innovators in grid modernization, it's a faster cycle for us than for a utility that has to go through a long, drown out process that has to have all of these different interests accommodated. at the cooperative level, you can move very quickly, right there you have very containingible examples of industrial and utility regulatory models that are out of sync with where this is going. so the consumer counsel's role is going to be significant in how that moves forward. >> i absolutely agree that the
10:40 am
traditional regulatory paradigm based strictly on cost of service regulation is no longer as relevant as it used to be and that performance metrics are going to have to come in to the equation, what is really critical in that transition, in my view and by the way, i do not think that we are going to completely repays cost of service regulation but we are going to enhance it with performance metrics, we have a to get that right. if we do not pick the right metrics, we are not going to get the right outcomes, right now they focus very little on issue of equity and i think that we have a lot of work to do to change that, quickly here, during this transition, we have already talked about the extent to which access to
10:41 am
new technology is not evenly distributed. lower income folks do not have all of the newest energy management equipment, do not have all of the new energy efficiency technologies, they are not putting solar panels on their roofs, even if they own one. during this transitional period, having access to a utility service as part of a franchise monopoly, whether its an iou or cooperatively or municipally owned, its providing a last resort that will insure reliable access and service to everyone. >> one final point, in this new loosey goosy world, we are not pouring concrete and boiling water, what are the principles?
10:42 am
in that world ushes -- world, two questions come to the floor, one, two has the right to act. in the old days, the utility had the right to act and the puc decided whether or not they would recover the cost. in the future. the right to act has to be distributed more evenly. suppliers and consumers have the right to act. then second, who bears the burden of proof. that gets different, if the consumer has a right to act to put a solar panel on his roof. the consumer does not have to prove that they have done the right thing, the producer has to prove they have done the wrong thing. going back to the industrial revolution, the fcc said anything can plug anything into the wall as long as it does not hurt the system.
10:43 am
that gave us the cable modem. at & t said, it's going to blow up the equipment. the fcc said, bull, you have to put a jack in there that an ordinary consumer can put into the wall. if you think that phone is going to blow up your system, you have to prove its hurting, he does not have to prove it's beneficial. that's part of the revolution, shifting the burden of proof and that's where the regulator gets to get good behavior, people do not want to blow up the system, they want to figure out how to make it work better. the regulator steps back, at & t tried for a while and gave up. they were not going to stop the phones from getting plugged in. they went to another fight.
10:44 am
it was evil but that's it. >> we are running out of time. pleasejoin me and thanking our panelists
10:45 am
10:46 am
good morning, can you take your seats, please? thank you, thank you to all of you for staying for this session about the insecure digit world, i am susan grant,
10:47 am
the direction of consumer protection and privacy at the consumer federation of america, is interesting, just this morning in the session, the issue of cyber security was touched on many times, it's come up throughout the whole conference, they certainly very timely. with so much in the news about data breaches, internet connected devices that can spy on us and our data from our online activities being collected and used in ways that we never would have expected, it's so wonder that so many americans are concerned about the security of their penl information, ts -- personal information, that's what we are going to talk about today with three excellent panelists.
10:48 am
michelle richardson, she spreshizes in privacy issues, then the director of consumer privacy and technology policy at the consumers union, the policy arm of consumer reports. previously he was the policy director of the ftc's office of technology research and investigation and before that he was with cdt, then steven is a partner and holland and knight's new york office where he focuses on advising companies on a wide spectrum of technology and legal issues pertaining to privacy and security, we are going to have a conversation among us and then we will save time at the end for questions from all of you.
10:49 am
so i would like to start with a general question, or a serious of issues for all of the panelists to respond to. maybe it's never going to be possible to have 100% perfect security, but it seems like, in many of the data breaches that we hear about, they could have been avoided. i think that the poster child for that is the equifax breach where there was a software vulnerability that they knew about and they failed to patch it allowing hackers to steal sensitive information about millions of americans, this morning, there was another revelation that some thousands of people's passport information was also compromised in that breach. what i would like to ask the
10:50 am
penlists is, what are the main factors that contribute to these kinds of security failures, is it just not paying enough attention to security? is it not having the in place?not having the in is it not committing enough resources to it? what's the problem? sure. so i think you're absolutely right, a lot of the data breaches we hear about are completely avoidable, ex fax is a good example of that. you hear lots of cases about someone had a laptop unencrypted in the back of the car that got stolen. for me from the policy perspective the key is the lack of incentives. they just don't bear the cost of data security in a lot of cases. in some cases data beach notification might be triggered and that's annoying and it's expensive, you have to hire steve. so there is definitely a cost there, but they aren't the ones who bear -- like when the
10:51 am
consumer has credit -- their credit is attacked, when they have identity theft they don't bear the cost of that. the ftc maybe has data security authority, they brought a lot of cases, this he use an old statute from 100 years ago to say that companies are required to use reasonable data security, but that's being attacked in court right now, has been constantly attacked and even if the ftc can bring an action they can't get penalties. they can say you used unreasonable security and the company signs an order saying yes, i did i will stop doing that. the companies can treat poor security as a cost of doing business and it probably should be a cost. they can't use 100% security but i think it should be a greater cost than it is today. >> michelle, do you have any thoughts? >> sure. i think we usually find that many times companies will say that because security is complicated we can't endorse a list of best practices, but when these breaches come to light they are not using just best of
10:52 am
industry practices that are actually really cheap and baked into services right now. it's things like encryption, multi-factor authentication, lease permission access, things that don't actually require a huge technical skill set, it's something that your i.t. contractors absolutely can do. someone just needs to make a decision to do it. so when you hear that, well, you can never account for these sorts of situations and there is no way to fend them off, that's really just not true. i think the joke is always there are two types of people, those who have had breaches and those who just haven't found out yet that they've had breaches, right? it's not really about whether you can fend off an advanced persistent threat. if you are being targeted by north korea or iran for your international electric actu intellectual property that's one thing, but even consumer data that will be sold for pennies on
10:53 am
the black market are not getting these basic protections. it really does go back to the incentives, there is no consequence at this point. we have seen over the last few years states are getting out there because the federal government is totally paralyzed and so we are hoping that these state laws are able to do things that we just can't, and here in d.c. with accountability, enforcement and penalties that really make it worthwhile for them to fix their systems in a estimate mat tick way and not sort of brush off each breach. >> all righty, then. so to push back on some of that just gently, so working on the data security side of things in a law firm, so we have to respond to incidents and also do preparedness and response, you know, from where i sit the -- my observation is that it's actually really hard to get the level of security that you would want in large organizations, complexity, any security professional will tell you
10:54 am
complexity is the enemy of security and when you get really large organizations you've got all kinds of different systems, some legacy systems, et cetera, and security is absolutely hard and it costs money and a lot of these companies have -- that have been involved in breaches actually have really top drawer security departments and spend a lot on security. you know, microsoft there's, you know, for example, in wannacry and some have pointed fingers at microsoft, there's actually a way to point fingers at the u.s. government, we could talk about that later, but they spend a billion dollars a year on development of security, right, for when they're making maybe -- i don't know, maybe $20 billion in profits. that's a huge budget outlay. so i think it's really hard. not to say -- and let's take it updates and patches even. if you are in a large organization and you get updates and patches you can't roll those out right away, they could have additional vulnerabilities and
10:55 am
you need to test them. if you would have, you know, done immediate updates, for example, for the intel vulnerability, the meltdown and spectrum, you would have ended up bricking all of your machines because it turns out that the firmware update was for certain classes of hardware didn't -- wasn't going to work. so you've got -- there is a danger in the updates themselves and there's -- and that's hard. and then the last piece i would say, dnd this is going to be the most controversial one, i think, is in terms of harm and cost of doing business. you know, in a data breach where you have -- and, by the way, i would say also that the cost of data breach even if there is not a lawsuit if you end up with damages against the company, it's responding to it both with the security response vendors and the law firms, it is a hell of a cash burn per month, even for large companies.
10:56 am
you know, and when companies have data breaches they're terrified. this is not something that they take lightly. they don't like the brand hit, they don't like the cash burn and there's job security issues for the people who own the outcomes for all this. so there's that. but then the damage on the consumer, you know, if you have identity protection or you can put a credit lock on your account, like is it annoying, yes. are some people really harmed, yes. but in the aggregate what are we really looking at in terms of consumer harm. and, you know, i don't know. i don't know if it's as outsized as all of the horrific headlines in the media that we see. so that's the other side of the conversation. >> i think one thing we're seeing, though, too, is there is rapid move as software as a service and the use of the cloud and all of this is being centralized, right? it's not the world where you had 20 different software programs and we're very quickly moving to a place where you're going to
10:57 am
have fewer decision-makers in the security setting and they will be able to make smart decisions on a scale that maybe individual people cannot make. but the other thing, too, i think we need to push back on the companies is that to the extent that some of these breaches are about individuals having their passwords guessed, right, or phishing to click on a link that corrupts their entire computer, we have technology systems that make those things way too easy. you still sometimes go into your log in on an account and it says, well, you need 20 characters and you need an at sign and underscore but no underlines and three capitals. this has been debunked for years now that this is not a way that people can understand their passwords, right? that means they write them down and use the same one over and over again, but someone still on the tech side of this company has not switched to something that's going to be usable for your average person. so to the extent that we can get
10:58 am
companies moving in that way, they will actually be helping their consumers to better control their information. >> i will add -- i agree that there are some companies that do a pretty good job of it. sure, microsoft invests a ton of money into the space. microsoft was supporting with vista until a couple months ago, a 12-year-old operating system, but then you look at some of the iot products coming oud today and some of the default settings and they are objectively terrible. you look at the ftc's case against d link and they are using like ridiculous practices. the case against wyndham hotels, a very sophisticated company, a lot of the things they were doing were things that pretty easily could have been stopped. again, microsoft does a pretty good job, apple does a pretty good job. your operating system on your desktop computer gets regular updates and they do a good job with that. your phones, some of them, like apple phones get a lot of updates, android phones, like maybe the flag ships, maybe not.
10:59 am
the ftc did a report that came out a couple months ago and said it's a crap chute. super expensive phones get zero support. refrigerators, routers, anything else, do they even have a process for getting security updates and a lot of them don't. so i agree, yeah, the ones that are in the news do often have systems in place. so even for like the inn tells of the world, i mean, who bears the cost of "spectre" and meltdown. for a lot of other companies the incentives are not in place to take it seriously enough. >> we are going to turn to incentives in a bit. steve, your firm has an actual laboratory that you use to test whether your clients are actually protecting data as they claim. can you describe what that is and how it works?
11:00 am
>> sure. thanks. and so it's sort of unusual for a firm to maybe have this type of thing, but we have an internal testing lab where for clients that have consumer facing websites, mobile apps, iot devices, we will set up a special network and environment, capture all the network traffic to and from the device and during test sessions also do a code analysis and then -- and really get after issues like data leakage and designed in dating sharing at the code level that may not be known actually to the people who own those outcomes in the companies. so, you know, in terms of -- in terms of data breach, i don't know if it necessarily gets at those issues, per se, but it does get at video privacy protection act, children's on line privacy protection act, gdpr issues. which is an increasing issue. one of the things that you see
11:01 am
with development these days is increasing mod layerity. we've got third party code we're going to take from here and from here to perform all sorts of different functions whatever our software is, whether it's a mobile app or different kieds of software. those third party code libraries will call out during their operation. a lot of times what the developers think what that code does versus what the code actually does are two very different things that impact on privacy and security. we try to really get into the weeds on that. thank you. >> thanks. it really sounds like a great service. let's turn to the security concerns about internet-connected devices. we couldn't bring our colleague fin merstad from the norweigian consumers council here, but we're going to show a video that his organization made. they studied several different brands of smart watches for
11:02 am
children that parents can use to keep track of them and communicate with them and as you will see from the study that they commissioned by a security consultancy firm, other people can communicate and track the children as well through these device devices. >> volume? ♪ ♪ >> these smart watches for kids might seem like a good idea, but what about the kids right to privacy and how secure are they really? we're about to find out. >> good to see you, sir. >> good to see you.
11:03 am
>> so, harrison, you've been looking at security of these smart watches. how easy is it to circumvent them? >> it was a lot easier than we expected. they were missing a lot of standard best practices that you would expect to see on these types of devices and as a result, you know, we had a lot of security findings. >> in what ways with a person or attacker get access to these watches without actually having them in their hand. >> an attacker would need a unique identifier for the watch or an imei and you use that as part of the registration process. i type in the verification code that i have, i forward the request along back to the server and now i've associated fin's watch with a new account that it didn't originally have access. >> this number is something also that you can find online. you don't need to have access to
11:04 am
the watch to get this number? >> no, absolutely. you do not need physical access to the watch to get this number. this is just one of the methods that we've identified. >> in the research of these smart watches what were the most surprising findings? >> we identified that there is the possibility to use these devices as a spy device without the kid ever having to activate any functions on the watch or even being aware that something is happening. i'm just going to send a text message here. it will automatically call me back. i can press answer on my phone here and -- >> am i talking back to you now? >> one of the key functions of these watches is parents can track their kieds. on my way here i wore all of these watches on my arm. what can an attacker do with this information? >>en a attacker would have access to all of the location history that would be stored in that parents' app. we also identified some other problems with location history where an attacker can manipulate where the location of the watch
11:05 am
looks to be in the app. here i can see all the location history. >> this was my walk here. >> absolutely. i can see the exact time that you were at this location. >> right. >> so with the attack that we've done here we've changed the location data that was sent from the watch, between the watch and gator server so we make it look as if the watch is in london when in reality it's sitting here with us. >> these smart watches have an emergency sos button. did you find any issues with it? >> we did identify some problems with the emergency functionality. so normally a child could press the emergency button and it would initiate a phone call back to the parents, but an attacker with control over the app could change the phone numbers that are supposed to be called or they can just delete them entirely. >> okay. now, the s has showed up so it should have activated the sos function. okay. so now it's calling back to my
11:06 am
phone. >> you've taken over, you are now a person who should not have access to this phone. >> right. >> you have put in a different phone number than the parents' phone. these smart watches collect a lot of sensitive information about children. is it stored safely? >> not as safely as you might think. on some of the watches the communication was not encrypted, so anybody sitting on the network could see that information passing back and forth. some of the servers don't protect the information the way it should be. with one of the watches it was actually possible to return data for other users and see location information about -- about other people. >> as we have just seen, these watches are clearly not safe for children and also they violated the children's right to privacy.
11:07 am
until these issues have been resolved they should be removed from the shelves and in the long-term we need better rules to protect children and grown-ups from unsafe and privacy violating products. >> well, removing these things from the shelves is really difficult. these watches, for instance, mostly are made in china under many, many different brand names. contacting the companies behind them which fin's group tried to do proved really difficult in many cases. the federal trade commission certainly doesn't have the ability to issue recalls and as we heard from acting chairwoman burkel this morning, the cpsc doesn't see at least at this point that it's within its remit to deal with these kinds of security issues which could
11:08 am
actually put children physically in danger. so what to do about this. one thing that's happening, justin, is that consumers union has launched a new program to test and report on the privacy and security of these kinds of internet connected devices. so can you tell us why cu started the digital standards program, how it works and what you found so far? >> yeah, so it was really, my en, more about consumer reports. so consumers the advocacy and policy wing, but consumer reports has an 80 hundred year history of testing products, looking at tvs, cars especially. so we're really good at evaluating products, but now a lot of products had these new dimensions, they're internet connected, other things to be worried about, not just how well does the car different, are there data security concerns. about a year ago the
11:09 am
organization put out this digital standard which is the metric by which we're going to start looking at companies for some of these new values. we partnered with a few organizations that have a lot of experience in this area, ranking digital rights part of oti which did a lot of work looking at policies and evaluating which ones are better and worse, disconnect me which is a major of an ad blocker, a lot of experience in the ad tech space and the cyber testing lab which has experience with testing cyber security issues. we put the standards out and what the cyber best practices are, looking for security best practices but also other issues, too, like repairability, can you actually repair your own device. inter operate ability, ownership, do we even own our devices anymore. michelle is talking about everything is running software as a service. do we own our refrigerator or is it refrigerator service that can
11:10 am
be bricked remotely when someone wants to. these are the values we talked about and now the challenge is translating that into actually rating products. so we started to do this, we announced our first test case looking at a bunch of smart tvs, this is an issue i worked on at the ftc and cared a lot about. tvs traditionally were just a screen and you plugged your cable into it and then you would watch it. now they have a lot of software on them and sometimes that's cool, right, you can use it to connect to netflix and amazon zon and do other stuff with it and use it as skype or a web browser. this is a thin margin business, right, with a lot of chinese companies who are churning out screens for low cost, looking for ways to make more money. a lot of these companies are now doing, they want to watch what you're watching so they run software to send screenshots back to their servers so they can process that. justin a watching a basketball game, he's watching a good place
11:11 am
or whatever and they can build a log of what you're watching. they look at google and facebook who are printing out money by serving targeted ads and are interested in doing the same thing. we looked at these under the standard and try to say which ones are better, which ones are worse. they all kind of try to get permission for it. there was an ftc case against the manufacturer vizio a couple years ago that said that tv viewing is sensitive so you have to get permission. they all kind of have permission, they all throw up a screen where they talk about content recognition or targeted content, but, you know, you could tell that in a lot of cases they are definitely phrased to get you to hit accept, the skip button is hidden in a corner. how do we assign a score to that, to a user interface? for the first one we didn't feel comfortable picking winners and losers, we learned a lot from it. i have my thoughts about t but
11:12 am
cr is a careful organization that wants to get it right. we have a history of testing things and the scientific process in place and so i would like to say whatever justin feels like, but we actually have to have a more rigorous process for that. the goal is for the next set of ones we will be releasing soon is to pick best and worst to at least rank them and then with the goal that one day we will be comfortable assigning a score to say this tv gets like a 30 on privacy because they don't tell you that they are watching what you're doing, they don't get security updates, this he don't do this and that. that's the initiative that we've launched and the goal is to actually make it part of our standard evaluating products because this is a feature, an area of interest for more and more products. >> so this is obviously going to be helpful to consumers because they will be able to see these rankings and take them into account if they are the kind of consumers that we like that research before they buy things like appliances. maybe it will put some pressure on the producers, although i'm
11:13 am
not sure how much these chinese companies are going to care. >> but like the big companies do, right. i mean, i would say the samsungs and the people who make a lot of products, especially in the car space where i think cr -- people trust cr on cars, they are very interested. so they've all called and wanted to talk to us about it. >> that's good news. so, michelle, what consumer reports is doing and what hill and knight's testing lab is doing for its clients is really helpful, but is it enough? what more do you think needs to be done? cdt recently issued a really interesting paper about strict liability and how that might force companies to pay more attention to security. could you talk about that and share your thoughts? >> sure. so we're very happy to see what consumer reports is doing. it's kind of funny, i spent a
11:14 am
lot of time with the executive branch in convenings and interagency blah blahs and for years the companies have been said don't regulate us, let's just do something like energy star for the internet of things and then consumer reports came out with an energy star for the internet of things and they were like, wait, we thought we were going to do this for ourselves. it has really changed the conversation, there haven't been a critical mass of reviews yet, but i think it has kicked people in the pants to realize that consumers are going to organize and there's always value for consumer self defense. it's only one piece of the system, but especially where we are now where the political process and the legal system is failing us, it's more important than ever. so we did try to look at how the legal system is handling these cases and we ended up focusing on strict products liability because it seems to be the only way to recover right now and
11:15 am
only if someone is hurt very seriously or something is destroyed are people finding their way into court. on these cases are settled quite early so there is not evolving case law here. to the extent that people have died in car crashes or another popular area is medical devices, i think we've seen in our paper that's things like cancer treatments, pain administration, all these things now are actually looked to the internet and the failures are really life and death issues. to the extent that this can evolve, i think it makes sense because these producers whether it's the hardware or the software are the only people in a place to make serious decisions about the security and this is unlike other things that have a physical component or things that people inn due civil understand. you cannot make informed decisions for yourself on every
11:16 am
connected device you possibly own. i think there are a lot of people who maybe even have connected devices and don't realize it. you don't realize your comcast remote is always on listening and that's the default when you got it, right? or your tvs and the dumb things that are now being put on the internet with couth brushes and, i don't know, flashlights and it's pretty much endless, right? for a very long time they always said, well, just don't buy it. someone said we are not going to have a choice much longer. the first thing to fall was cars. you are not able to go out and buy an unconnected car, you are not going to be able to make that choice to say i don't want to put myself at risk in that way because then there is sort of the right to repair related issues and licensing. they put into your licensing agreement that you actually can't disconnect the car, it will void your warranty. so there is going to be a point where we can't opt out. if we are going to create that system that means only one group
11:17 am
of people is going to be responsible and it's going to be the people who built it. i would say that the companies are getting nervous about there being some sort of negligence regime possible, we are seeing more and more legislation here in d.c. with liability protections and they are usually incredibly broad and they will say something maybe like, you know, if there is a reasonable standard of care. you are not liable. and while that may seem like, okay, well, maybe that's trying to explain negligence, what they do on the back end is they say, but you can't actually bring suit as a consumer, we're going to kick it to your ags, but then the ags have to bring a single suit all states together, it has to be before the d.c. circuit court and the ftc can intervene and they are making sure recovery will never happen. the other request they have going is that there is a limit on damages of a million dollars per incident, not a count, so equifax, all of that would be a single $1 million fine on behalf
11:18 am
of every single consumer in america. that's the proposal before congress right now. so i've got myself so far away and worked up over this, this is -- >> that's okay. >> we're really not moving in the right direction yet. i will just wrap up to say i do think cambridge analytica has been a turning point, it was partly just because people were shocked about how much data was there and how it was being used. i think a lot of us who followed it knew this, with he knew how bad the terms of services were, but it was never explained to average people in a way they could understand and we're finally turning that corner and i think serious privacy and security legislation could be a reality in the next couple of years. >> maybe. i'm going to turn to justin and steve for their thoughts, but i do want to just pick up on one thing you said. yesterday we heard from illinois attorney general madigan about
11:19 am
the good things that some things have done to enact privacy and security laws, but we also see things like a recent bill in ohio which would create a safe harbor shielding companies from liability for bad security if they have followed certain voluntary standards like the ones developed by nist or other sort of voluntary bodies. you know, we oppose this bill because we think that it's a really bad idea to prevent people from being able to bring actions to hold companies accountable. some might argue, though, that it would actually give them incentive to do better. so why don't you respond to that as well as in general your thoughts on liability.
11:20 am
>> sure. so on the point of the strict liability proposal, for example, i think -- so i would take a step back and say, you know, when you look at tort law for product liability generally and i'm not a product liability lawyer, but here it goes. you know, we have the -- when you got, you know, a license or a consumer contract on the harm that results that's purely economic in nature will be governed by the contract and if there's personal injury you can sue in tort. this is something that helped sway across the landscape of consumer products for quite a while and in terms of strict liability, i believe that you have to have, you know, particularly known dangerous instrumentalities in order to get out of normal product liability and into strict. even in strict liability you
11:21 am
have to prove a product defect and, you know, that it's the cause. so i think in terms of, you know, the -- what in law school they would call the least cost avoider i'm not so sure it's the companies that are actually making the products. on the modularity piece both for code and for hardware it's not like the companies that are putting the products on the vessels have made most of the hardware that's in that product or written most of the code, that's probably unlikely. they've made some of the hardware and written some of the code. but, you know -- and certainly -- and then there's the issue of are we talking about, you know, are we talking about pacemakers and autonomous vehicles and, you know, bloody wrecks on the highway, are people dying because they're getting zapped by their pacemaker or are we talking data beach and things like that? it would seem to me i would caution -- i would counsel caution on any change in sort of
11:22 am
the default structure of our sort liability system which i think because of the way it's set up leaves play in the joints for innovation and folks to make mistakes that aren't grievous and have companies be put out of business by that. think about, for example, the htc from several years ago by the ftc where there were issues with -- with the way that htc -- was putting phones on the market with pre installed android permissions that really were not done in a secure way, but the installed user base was something like 18 million people or 20 million people. there was no a single is dense that i know of or have read of a known comp miegs, of known vulnerability or known harm. should we hold htc to a strict standard and put the company out of business with no harm. i would say put the brakes on in terms of strict liability. i think that that would have to
11:23 am
be considered very carefully and probably, you know, there is a big difference in terms of how we think about pacemakers and autonomous vehicles possibly versus, you know, network connected fish tank thermometers and things like that. of course, that have actually cause of a data breach in the case of a casino. we don't need strict liability to know that we shouldn't hook up fish tank thermometers to our company network. >> that might help. i think it's a really interesting idea. i really enjoyed the paper, i recommend people at least take a look at it because i've often wondered about the intersection of strict liability and warrant yeah law and all the things that are on the internet of things. we already have strict liability for a lot of data breaches. data breach notification is a strict liability cost. if you have data beach and you lose someone's social security number it doesn't matter if you are the world's best security theres no reasonableness inquiry into it, you have to notify people, that's a cost.
11:24 am
i think that's a feature and not a bug. we are trying to extend that in a bunch of states to other sorts of information like on line cloud storage, if your online account gets hacked you should be told about it, one because you should know but it also is good to incur costs on companies for going through this. a lot of money goes to steve and maybe it's not the most efficient allocation of resources in the world, but it puts costs on companies -- >> pretty efficient. i was just kidding. >> it puts costs on companies to make them take security more seriously. i'm interested in this idea in doing it more generally where you don't even need to consider the reasonableness you just bear the cost of what went wrong. i think steve makes a good point that is this the way it's been interpreted in the past doesn't quite translate over here. we talked about defects. the problem is code is inherently defective. all code has defects. whatever the next version of android that comes out google will have pumped trillions of dollars into it with the smartest people in the world making but it's going to have
11:25 am
defects. the key for security is to recognize that and have in place a system to recognize that after the fact and watch it and deploy the patches and get people to install the patches and to remediate it as best as possible. so how does that affect strict liability, i'm not entirely sure. i think it's a good question about where in the stack the liability should lie. an tried technically is open source. if someone like someone just changes the code and puts changes to it it's really a request he of how htc or samsung implements that code, which of those players bears the responsibility for that. so i strongly agree that the incentives need to change. i have traditionally thought about it if you use bad practices then you bear some costs but i'm interested in the strict liability idea. it is a little bit fraught, but, again, something needs to change in order to get the majority of
11:26 am
the players in this space to take it more seriously. again, there is still the supply chain issues. the ftc brought a case against a smart moan manufacturer that was white labeling a chinese phone. do they wear the responsibility for the defects that the chinese manufacturer put in place. the ftc said yeah. there are complicated issues that need to be unraveled. >> any of the other panelists have additional ideas for what might provide good incentives for better security? >> so just to hop in very quickly in response to justin. versus government action and changing the default settings of tort law versus having a private company that sets understand dard and holds companies publicly accountable to those, it seems to me that the private sector solution, you know, unless -- unless deemed to be an utter failure and it's of course just getting off the ground i
11:27 am
would think that that's the forum that probably makes the most sense and has the least chance of disrupting innovation and actually being an engine for innovation. so i actually think what consumer reports does is great and has, you know -- again, i think that with the ftc certainly there are some of these investigations that we understand and then there's others that we think that are just, you know -- head scratchers and what not. so really applaud the private sector efforts of consumer reports. >> thank you. private sector self-regulation has a role. self-regulation is most effective when there is a threat of real legislation or there are -- and right now we are in one of those moments. right now there might be incentives for things to be put in place. in the privacy space 2012 there is interest in privacy
11:28 am
legislation especially around ad tech. we will going to do do not track and we will take call of this for you. some of the momentum behind legislation fell away and do not track fell away. self-regulation will always play a role but it will not be sufficient by itself. it has not been sufficient in the space given the extensive data security failures of a lot of companies. so, again, recognizing that perfect security is both imperfect and undesirable, i think still it is a continuum and we need to move the needle farther in the direction of security. >> and i realized when i was speaking about strict liability i kind of bled into some of the efforts to do something below that at a more negligence level and that's what some of the states have started doing on outcome based, you know, sanctions. so there is always that option that there is some sort of legislative response and that's what you are a he eventually going to need.
11:29 am
i think we kind of get in this rock and a hard place where they say you can't write standards for the industry, it's too complicated. let us figure this out as things go wrong. things do go wrong and you want to recover in court they say we don't want to spend 20 years litigating this, shouldn't there be a list. you can't get out of the hoop where we pick a path and go forward with it. as someone who is d.c. based so maybe this is a little afield of consumer actions, but one thing i'm excited about with the trump administration is that they want to get harder on their contractors and improve their own security and they're going through an i.t. modernization process right now where they're trying to allow agencies to save up money and make big purchases and shared services and sort of slingshot past the constant update of crappy old systems, right? they only have enough money to update their windows that's ten years old over and over again and they never actually get to upgrade significantly.
11:30 am
so as a purchaser the government can affect the private market so i am hoping that this process if they are really clear about minimum standards are they can affect what the big companies actually put out because that has happened in the past and it's something that they are considering. i know they've said they have reached out to ul and others because they want to try to use a purchasing power as opposed to direct regulation. i would say, though, too, just how privacy works in this country, security may follow where we do do it industry by industry. so the agencies in congress are much more involved in select areas like health devices and cars and there might be other areas where highly regulated industries that are already, you know, reviewed for safety, cyber security is just sort of layered on as the next thing because there are so many cyber physical results anyways. right? if you are trying to understand how these things work it doesn't make sense to not consider cyber
11:31 am
security while you're doing it. that hopefully is something that can lift all boats. >> just for two seconds on, you know, again, sounding the caution bell for, you know, how well privacy legislation has worked -- or regulation, you know, in the case of capa originally the government wanted to, you know, protect kids from porn and it turns out that you can't really do that effectively because of the first amendment. so instead what we ended up having is a regulation that protects kids from lego ads because you can't have targeted or interest based advertising so kids get ads for sushi. it is a regulation that has costed -- has costed -- has cost -- geez, it's friday -- has cost industry millions of dollars, it has taken content off of the market that would otherwise be available because it's too expensive for small providers to put content out there and kids get sushi ads instead of legos. it is a regulation that has never protected anybody from anything.
11:32 am
we need to be careful before we go and do that. >> oh, i'm making a note we're going to have a session on capa next year for sure. we're going to go an extra ten minutes because we started late so there's one more thing that we're going to talk about before we open it up to questions and that is the latest outrage, facebook and cambridge analytica. some people are calling it a data beach which i don't think is technically accurate, but there is no question that there are companies such as facebook that are collecting tons of information across various platforms and making it available to others to use without necessarily having a system in place to ensure that it's only being shared and used for the purposes that are intended and that it's secure. so my final question for the panelists is what should be done to monitor the trail of the data
11:33 am
after it's left your hands? >> the easy thing to do is to lock down the platform which is one that facebook eventually did, it just closed the barn door a little too late. in facebook's case specifically it will be interesting to see what the ftc ends up doing with that because, as i said, in most cases the ftc can't fine you when you do bad things but if you have previously done a bad thing and signed an order saying you are not going to do bad things then they can gat catastrophically large penalties. a lot of people are saying this is an easy case. i think it's an interesting case. i think the ftc order is worded very specifically so a lot of the questions are -- some of the theories some people are proposing i don't think are going to work, but the system they had in place which was obviously prone to abuse, right? we wrote a letter to facebook about this in 2010 when i was at
11:34 am
cdt and joined with epic and cdd and a bunch of other folks says this is ridiculous. any app that someone installs can scrape all your friends' information. you have to shut this down. they waited five years to do that and, you know, just -- and to their credit they did shut it down. i think they get credit for that, which is why it's interesting that a lot of the conversations now are switching to other facebook problems, like the hearing with mark zuckerberg focused somewhat on cambridge analytica but a lot of this was about all the other things they do, how they track you off of facebook. i think a lot of how facebook responds to that now is that door is shut, but, i mean, there's lots of things we can talk about facebook wise. i think that will be interesting to see how they react both on all the extra data collection they do but also how they police their platform for being accused. but those are kind of like a lot of separate issues. but, i mean, yeah, whether it's -- i mean, you get to the issue of is it a data breach or
11:35 am
not? it's an interesting question because the end result was someone who should not have had the data got the data. does that make it a security incident? i don't know. with the ftc go after that by itself is an interesting question. they might. it also depends on what people are told, what people's reasonable expectations are if they were told or had reason to believe what they put on facebook would just be shared with their friends, not whatever stupid farmville or whatever app that they were playing at the time. >> i know we back at the cdt office are trying to think more holistically so i don't want to say here is the solution. i think we're trying to talk to a lot of people and come up with a plan that will stand the test of time, right? that will account for facebook, but other situations. i think one interesting idea my boss talks about is sort of like a covenant that runs with your data, right? that this idea that so often our
11:36 am
terms of service say, well, yeah, you could use it for other things to give me my service and make my service better and people assume that to really be in the four corners of service you have and the sort of crazy way that spins out is really not a fair way to use the data. so is there a way to better enforce this idea of what your permission means? i think, you know, some of the things that we need to separate out are the security and the privacy. to me this is very clearly privacy. security is objective. it is whether you can control who accesses and uses your data, right? but privacy is a normative value of what do we decide how it can be used, right? you are now in the box of what's legal and what's under your control. here this is definitely a privacy violation. they knew what they were doing, they chose to set up the system like that and people just -- it
11:37 am
didn't sink into them about what that meant. there are very closely tied security and privacy but they're different and i think there can be different consequences for it. i think what we're hoping to come of this is that maybe there are some types of data that are absolutely protected because it's just so crucial, right? i mean, the recent dna case was very interesting. talk about something that you can never get back and never change. how do we think about dna? and i know our goal, too, is to get beyond the notice and consent model as sort of a generic out because that has not worked, it's not been meaningful and it is not serving people in any useful way. >> steve, any last thoughts about audit trails? >> yeah, so it's hard, i think. not that that's helpful. but companies are trying to deal with this the best they can. we are seeing -- we're seeing
11:38 am
companies with an immediate need for actually having to stand up systems that do this because of complying with gdpr for eu facing activities and you have to -- you basically have to know what's going to happen to your data and if you're going to share it with a third party you're putting your neck out, you know, potentially for 4% of annual revenue, not profit, revenue. and so there's various ideas that folks are trying to implement in terms of recordation and tracking. there are certain required consents under that regime, specifically especially for sensitive categories of data which would include political beliefs and philosophical beliefs and whatnot. graph that on to the social network scene and, you know, it's probably very different type of group of consents that would be necessary to have, you know, released this data here, but then again you are going to have the problems with folks what happens when there's breach
11:39 am
or what happens when there is a deviation. i do think that especially the way that that is tied into the political situation, you're talking about potential societal wide impact for this type of data, you know, i think there is a sea change and part of it goes to when you have a company where the entire economic model is leveraging to the max your data, you know, this is attention that is awfully hard but it's hard for everybody and i would be lying to you if i said there was some, you know, great solution at this point. >> we could all agree it's not easy or it would have been solved already. i think we've had a good discussion describing what the problems and the issues are and now it's time to open it up for questions. is somebody going to pass a mic around? thanks. rachel, she does everything.
11:40 am
and so please identify yourselves if you're willing, if you wish to remain anonymous that's okay, too. make it brief, whether it's a comment or a question, don't make a long speech. >> hi. i'm dan mccrory with the chicago consumer coalition. the question is for mr. ruse. in the last 30 seconds of your original presentation you introduced concepts of brand, hit and cash burn. indeed the ep entire conversation seemed to be that there's corporations and there's individuals and there's different ways of measuring
11:41 am
their damages. now, i thought the supreme court just last year decided for us that corporations were individuals and we should judge them that way. it seems our entire conversation challenges that. am i misinterpreting some things? >> i'm not sure that i actually grasped the question, per se, although i will certainly concede that there's, you know -- in the legal realm the fact that you have real concerns and you have legal concerns ends up with some odd results for sure. my point on the cash burn thing was simply that i think that the impact to companies is significant even for data breaches that don't end up in lawsuits, per se, and that it's not necessarily -- at least this was my view -- there wasn't necessarily a lack of incentives. i think there's a lot of scrambling and investment by companies and dis incentives to
11:42 am
having data breaches and adverse incidents but that they happen anyway notwithstanding that those costs are born and real and are felt. >> hi, i'm mike lit with u.s. perg. just this week it was reported in fortune magazine that 57% of the global fortune 100 companies have continued to install the flawed version of apache struts which is the software that led to the he can fax breach and which the fbi warned against over a year ago and y'all kind of touched on this a little bit but i'd love to hear everyone's thoughts on if we don't require immediate implementation of patches or have penalties what requirements or consequences will protect our data because what we have is there's clearly still a problem. >> so i'm not familiar with the fortune story, but, i mean, certainly the idea that even large sophisticated companies failed to make updates,
11:43 am
obviously given equifax is certainly plausible. how to regulate security is an interesting question. i've seen provisions as simplistic as thou shalt use reasonable security and i've seen things like the massachusetts law is fairly prescriptive. a mandate update to install patches, there's patches and there's patches. there's critical patches, do you want to tie something to a cve designation? i personally lean against more prescriptive language. i don't think government can -- like they can't say what level of encryption do you use? the law can't keep face with that even the if the ftc had rulemaking. i err more towards a general reasonableness standard but with more of a stick. i mean, i take steve's point that it hurts to have a bad security incident. it should hurt more. >> yeah, i mean, in terms of the fact that you've got software
11:44 am
with known vulnerabilities still being installed, i mean, one of the questions, too, is what company is installing them? you know, no the all back end databases are created equal and a few are -- if you are a credit bureau or company with a data broker or something like that with lots of sensitive features in your data set, that's one thing. if you are a company that's got, you know, data that's not nearly on that magnitude, yeah, maybe it's not a good idea, but you're probably not causing, you know, societal harm. >> microsoft's clippy page is running there's no institutes, that's another reason why it's really hard to prescribe it, but then i think the ftc should have the ability or other regulators or potentially private actors should have the ability to come in after the fact and say, okay, that was unreasonable and then the case law will build out what that looks like. >> hi. i'm with the montgomery office of consumer protection. i guess mr. russa i'd like to
11:45 am
start with you or if someone else has some comments of course. i'm going back to the idea of strict liability. your examples of htc and this is not my field and the pornography seemed -- well, i don't know, a little logical fallacy-ish if you don't mind me saying. with equifax where there is an element of knowing, do you not think that the strict liability would be appropriate if there is actual knowledge? i mean, just in a juris prudential type request he. >> equifax is not a client, i can't speak for them and i wouldn't concede necessarily that there was see enter. but let's unpack that -- >> [ inaudible ]. >> okay. but what i want to do is i want to take your example and just as sort of as a hypothetical even, even if we are not attaching it to a specific company and saying, well, what about strict
11:46 am
liability? but if you are talking about -- if you are talking about an entity where there's see enter for a bad act and you have resulting damages why would you need strict liability? you have fault, you have intent, you have causation, you don't need strict liability. strict liability is there was a vulnerability but we don't know if it was your fault or whose fault it is and we're going to impose damages. i actually think the existing tort regime responds potentially to that, again, in the hypothetical. i'm not look to go throw anybody under the bus. >> but consider the.counterfactual. let's say equifax had the world's best security in place and they tried everything and then someone still found a way in and no one would say -- even looking after the fact, oh, man, no one could have possibly thought of that. but then as a result, like, you know, 150 million people's information was breached. who should bear the cost of that? i mean, is there still a nash nail that, okay, this is the cost we have, this is the cost society has in having online
11:47 am
outward facing databases containing super secure information. the credit bureau system should bear that cost. i can see the argument for that. i think that's actually one of the easier cases. i feel a little bit more comfortable with that. in some of the other areas where it breaks down is when there is unclear responsibility, right, because there's different layers of the stack, some of it being open source. but there i can -- in that case, especially given the sensitivity of the data i can see more of an argument for it. >> especially knowing how that information is used to make incredibly important decisions about whether we can even buy homes or participate in the economy, that we don't have a voluntary relationship with them. it's not like if they grew up i'm not going to use your service anymore. there is no way out of them. they are one of those industries that need to be much more carefully regulated and they should be kicked out of the system if they are not able to secure the data. i don't think the current tort system -- well, i hope the
11:48 am
current tort system works. i think the problem with the demonstration of harm is going to catch up with this sort of thing because they will say, well, you don't know if this information is actually being used somewhere. right? how do you actually show this has been bought by criminals and how do we know when they used it was actually from this preach and not the 800 other breaches that have happened with target and all these other things. and that's where something like a strict liability regime is so important. there are some things that the cost is so great and distributed that you need to stop it on the front and there just may never be a back end fix for things like this. >> thank you. steve, do you want to say anything before we close? >> sure. >> oh, that steve. >> let me thank the panel very much. this was a great conversation and we will continue to debate these issues. join me in thanking them. [ applause ]
11:49 am
>> i know this conference has posed many very substantial challenges to those of us who are seeking to represent consumers, but i also think that the conference offered many solutions, offered us a better understanding of these issues, how to attack them and also identified some opportunities and strategies that we can take advantage of. listen, thank you all so much for participating. those of you who are with member organizations, the annual meeting will be at 1:00. safe travels home. [ applause ]
11:50 am
[ applause ] coming up later today here on c-span3, former fbi director james comey will be speaking at the brookings institution about being fired by president trump. he'll also talk about the russia investigation and his book "a higher loyalty: truth, lies, and leadership." that'sing up live today at 2:30
11:51 am
p.m. eastern on c-span3. this weekend on c-span saturday night at 8:30 eastern, the national rifle association leadership forum in dallas. speakers include texas senators ted cruz and john cornyn. sunday at 6:30 p.m., starbucks executive chair howard schultz on the responsibility of global companies. sunday night, author sal li cly talks about where hate begins. and at 8:00 p.m. on sunday, former secretary of state condoleezza rice and stanford's amy zeigert on the future of american diplomacy. and on american history tv on c-span3 saturday night at 8:00 eastern on the presidency, hillary clinton and linda robb johnson talk about the white house years of first lady betty ford. and sunday at 2:00 p.m. eastern, cartoonists and legal experts
11:52 am
discuss the supreme court case hustler magazine v. fallwell and its kbhaimpact on editorial cartoonists 30 years later. the house energy and commerce subcommittee on energy yesterday held a hearing on the reliability of the electric grid. witnesses discussed transmission infrastructure and alternatives to the traditional grid. this is about an hour, 20 minutes. we're going to get started. i want to let folks know our committee has a pretty major bill on the house floor this morning, a bill that passed out of committee 49-4 on nuclear waste. i know that debate there has started. a number of us have been there already to speak. our colleague is helpingo

4 Views

info Stream Only

Uploaded by TV Archive on